hive -- authorization logic vulnerability

Details

VuXML ID

a5c204b5-4153-11e6-8dfe-002590263bf5

Discovery

2016-01-28

Entry

2016-07-03

Sushanth Sowmyan reports:

Some partition-level operations exist that do not explicitly also
authorize privileges of the parent table. This can lead to issues when
the parent table would have denied the operation, but no denial occurs
because the partition-level privilege is not checked by the
authorization framework, which defines authorization entities only
from the table level upwards.